However, according to Forcepoint, the Adfly also contains the same backdoor as the DDoS tool Sledgehammer. Leonard said there are strong indicators that the hacked version of the Adlfy component does not work. Researchers said it is unclear how hackers leverage the malicous Adfly version to make money, if at all. Forcepoint said that the “click fraud” bots are specially crafted to be used to generate revenue on pay-to-click sites such as Ojooo, PTCFarm and Neobux. Adfly is a legitimate web page redirection service that shows interstitial ads and allows people to generate revenue via clicks.
Hackers are also rewarded with a “Trojanized Adfly click fraud bot that includes code snippets for generating revenue via the Adfly,” Forcepoint said. “The first pixel’s ARGB value indicates the size of the payload, and the rest of the image contains the payload itself,” Forcepoint said. The bitmap image downloaded by the backdoor, using steganography to hide code, contains the embedded. This ‘guard’ component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service.” It also downloads a secondary ‘guard’ component which it installs as a service. “The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another. The zinger for participating hackers, Forcepoint said, is that Sledgehammer has an unadvertised backdoor that allow the program’s authors to access computers running the DDoS software. Once a participant achieves a certain level of points they are awarded an unlocked version of Sledgehammer that they can customize and re-distributed to conduct DDoS attacks themselves. Threatpost contacted one Sledgehammer target, the Armenian National Institute, which said it was unaware of any recent attempted site disruptions. “We believe that those behind Sledgehammer are in the participant acquisition phase and are trying to reach critical mass,” Leonard said. Currently, there is little evidence that the hacking group has successfully knocked a targeted site offline. Sledgehammer utilizes the PC’s resources to conduct the attack, routing DDoS traffic through the anonymizing Tor service. “Those who appear on this target list appear to be there for political reasons… Users receive a point for every 10 minutes they attack one of the websites,” according to Forcepoint, which on Wednesday released its report.
Sledgehammer is software that comes preconfigured to perform HTTP-based Slowloris-type DDoS assaults against 24 preselected sites determined by the software’s author.
Next, participants are required to download a DDoS attack tool called Sledgehammer. Users congregate online within the program and can communicate and compare points they earn. Surface Defense runs locally on a computer. Hackers are recruited via Turkish Dark Web hacker forums, and to participate in the program they must download the Surface Defense collaboration program and register. “It’s unclear if those behind the Surface Defense platform are indeed politically motivated or they are simply using politics as a marketing tool to lure hackers into their network.”įorcepoint believes that this is the first time a hacker has “gamified” a hacking platform to the extent that participants compete against one another and can compare scores and redeem points for rewards on a single service. Targets of the DDoS attacks range from the Kurdistan Workers Party, German Christian Democratic Party and the Armenian National Institute website in Washington D.C., said Carl Leonard, principal security analyst at Forcepoint. Promoters of Surface Defense are actively recruiting Turkish hackers that may be sympathetic to Turkish nationalist beliefs, Forcepoint believes. The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers working toward a unified goal. A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software.